Situation

I have hostname status.example.app, which is behind a cloudflare proxy. When users connect through a cloudflare proxy I want to serve the strict origin certificate that cloudflare requires and verify the client certificate. When traefik comes from my local network, hence one of my apps calling status.example.app, I want to serve a local certificate. Both require the host name in the route as this traefik instance will have other routes.

Can any of you think of how to do this? its fairly simple in envoy, but I see the conflict according to the docs there will always be a resolve to the default certificate because 2 tls options cannot exist for the same host.

What’s a "local certificate"? Is that a custom one you have manually created?

The local certificate is one I generate with lets encrypt which is valid using the cloudflare certresolver. That isn't the issue, its multiple TLS options for 1 hostname.

Technically you can create routers with different TLS, not sure if that would work, though. If Traefik is smart enough to enable two certs on the entrypoint for the client/browser to pick.